IBM 3.8 must

Chapter 2. Implementation planning 89

Similarly to Solution A, there are three main requests that need to be addressed:

򐂰Controllers in the External zone connecting Targets in the Internal zone:

The change in the design has no affect on this request, and Controller 1 is

able to connect to Target 1 using the A path, as described in “Implementation

Planning Case Study: Solution A” on page 83.

򐂰Controllers in the External zone connecting Targets in the Servers zone:

The second requirement is that Controller 1 needs to contact Target 2 in the

Server zone. As shown in Figure 2-5, because the Endpoint Gateway was

removed from the Server zone, a new Endpoint/Gateway Proxy B architecture

needs to be deployed to manage Targets in the Server zone.

For Remote Control operations, a new RC Target Proxy B needs to be

installed on top of the Endpoint Proxy B and it bec omes automatically a

Parent, as the Endpoint Proxy is a Parent. On the other side of Firewall 3, a

new RC Controller Proxy B needs to be installed on top of the Gateway Proxy

B, and, of course, this component becomes the Child. Using this architecture,

the request from Controller 2 is forwarded from the A path to the B path using

the Endpoint Proxy routing technology.

򐂰Controllers in the Internal zone connecting Targets in the Servers zone:

The third requirement is still raised by the CSI Level 3 support group. Thes e

administrators need to have remote control access to Targets in both Internal

and Servers zone. Targets in the Internal zone will be managed by Controller

2 using the non-secure 1 IBM Tivoli Remote Control process. However, the

Controller 2 could benefit from the RC Proxy architecture to get the Target 2

sited in the Servers zone. It just needs to connect to the RC Target Proxy B,

which will transfer the request to the RC Cont roller Proxy B. So, the Controller

2 is able to contact the Target 2 using the B path.

Table2-12, Table 2-13, and Table2-14 summarize all of the necessary ne twork

communications ports that may help in configuring the RC Proxies, TFST

components, as well as the firewalls of CSI Corporation.

Important: Reques ts initiated by a Controller can be forwarded from one

RC Target Proxy/RC Controller Proxy architecture to another RC Target

Proxy/RC Controller Proxy architecture. However, these two architectures

must be RC Proxy Non-Standalone solutions, because the request is

transmitted from one part to the other using the routing technology of the

Endpoint Proxy components.

For more information about the Endpoint Proxy routing technology, refer to

the

Firewall Security Toolbox User ’s Guide

, GC23-4826 and to the

, SG24-5510.